AFAIK 'statefulness' can be used in more than one sense. A Layer4 firewall can use TCP connection *state* to link inbound and outbound traffic, whereas a Layer3 'stateful' firewall uses socket pairs i.e. IP:Port <-> IP:Port (so that sessionless protocols such as UDP can be controlled).
As the term 'stateful' firewall doesn't have a precise technical definition (that I know of) they can both be (and are!)described as 'stateful' - though many will argue about the latter!! The problem of running an IPSec VPN in your situation would be the key exchange. Many cheap SOHO routers (i.e. ?50) will automaticallly forward the IKE traffic (UDP/500) for a local IPSec node (so called IPSec Pass-Thru) when an IPSec VPN is 'detected', if the PIX can do the same you could be in business. -----Original Message----- From: Gwydion Mine [mailto:[EMAIL PROTECTED] Sent: 13 June 2003 10:07 To: [EMAIL PROTECTED] Subject: Encryption through NAT and State table Hello Chaps, I need to get a VPN working to a client site. Problem is that for one reason or another they do not want to configure inbound rules, only outbound, on their firewall (PIX). For this reason I will not be able to initiate the connection to our VPN end-point on the client network and instead will get this VPN end-point to send keep-alives to my end every so often to keep the VPN online. My problem is what protocol to use LPTP or IPSec (IKE, AH, ESP). Their network is on a 1918 and so the encrypted packets will need to flow through the NAT table on the PIX. On top of this, because of the lack of inbound connections, I guess it also needs to be statful so that the PIX will allow the return connections.... I know that by allowing GRE on a pix the above will work for PPTP (and would assume LPTP) but ideally I want to use IPSec. ALSO, I just want to know how it works 'cause I thought state worked on layer 4 - so in tunnel mode how does the state table work for the PPTP connection? Does this make sense? Any ideas would be very much appreciated. Thanks!! Gwyd --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ---------------------------------------------------------------------------- --------------------------------------------------------------------------- Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! The Gartner Group just put Neoteris in the top of its Magic Quadrant, while InStat has confirmed Neoteris as the leader in marketshare. Find out why, and see how you can get plug-n-play secure remote access in about an hour, with no client, server changes, or ongoing maintenance. Visit us at: http://www.neoteris.com/promos/sf-6-9.htm ----------------------------------------------------------------------------